0

我有一个 spring-boot Web 应用程序,它通过这个类声明一些安全性:

 @Configuration
 @EnableWebSecurity
 @Order(Ordered.LOWEST_PRECEDENCE - 50) // needs to be after SpringBootAuthenticationConfigurerAdapter to register default in memory user
 public class StorefrontSecurityConfig extends GlobalAuthenticationConfigurerAdapter {

     @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER - 1)
     @Configuration
     public static class MyStorefrontSecurityConfig extends WebSecurityConfigurerAdapter {
       .....
     }

一切正常。我还将这些注释添加到我的一些服务方法中:

@PreAuthorize("hasPermission(#entity, 'APPROVE') or hasPermission(#entity, 'ADMINISTRATION') or hasRole('ROLE_ADMINGROUP')")
void approve(final EntityModificationEntityDefinition entity);

@PreAuthorize("hasPermission(#entity, 'APPROVE') or hasPermission(#entity, 'ADMINISTRATION') or hasRole('ROLE_ADMINGROUP')")
void reject(final EntityModificationEntityDefinition entity);

现在他们做的不多——这很好。但现在我使用以下配置创建 jar 文件:

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true, jsr250Enabled = true, prePostEnabled = true)
public class PersonalizationConfig extends GlobalMethodSecurityConfiguration {

private final Logger LOG = LogManager.getLogger(getClass());

/* Global Method Security */

@Override
public AccessDecisionManager accessDecisionManager() {
    final List<AccessDecisionVoter<? extends Object>> accessDecisionVoters = new ArrayList<>();
    accessDecisionVoters.add(new RoleVoter());
    accessDecisionVoters.add(new AuthenticatedVoter());
    accessDecisionVoters.add(new PreInvocationAuthorizationAdviceVoter(preInvocationAuthorizationAdvice()));

    final UnanimousBased accessDecisionManager = new UnanimousBased(accessDecisionVoters);
    accessDecisionManager.setAllowIfAllAbstainDecisions(true);

    return accessDecisionManager;
}

@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
    return this.defaultMethodSecurityExpressionHandler();
}

这个 jar 中有一个spring.factories文件,META-INF以便加载作为 spring-boot 应用程序@Configuration。现在我希望当我在类路径中包含这个 jar 时,@PreAuthorize注释开始工作。但是我看到的是它AbstractSecurityExpressionHandler被调用并调用了抽象方法,该方法createSecurityExpressionRoot(authentication, invocation);总是去DefaultWebSecurityExpressionHandler而不是去DefaultMethodSecurityExpressionHandler. 当我的应用程序启动时,我可以看到它DefaultMethodSecurityExpressionHandler是构造的,所以我真的不确定这里会发生什么。

编辑:这是我的spring.factories文件: org.springframework.boot.autoconfigure.EnableAutoConfiguration=com.nemesis.platform.module.personalization.core.config.PersonalizationConfig

4

0 回答 0